MS KB 326480 has more info:
This article describes how to set up the Active Directory Migration Tool (ADMT) to perform a migration from a Windows NT 4.0-based domain to a Windows Server 2003-based domain.
You can use the ADMT to migrate users, groups, and computers from one domain to another, and to analyze the migration impact before and after the actual migration process. Make sure that you run ADMT from the primary domain controller (PDC) that is the Flexible Single Master Operation (FSMO) role holder in the target domain.
How to Set Up ADMT for a Windows NT 4.0-to-Windows Server 2003 Migration
Before you upgrade a Windows NT 4.0 domain to a Windows Server 2003-based domain, the following domain and security configurations are required.
Note: This article assumes that the source domain is running Windows NT 4.0 Service Pack 4 (SP4) or later with 128-Bit encryption, and that the target domain is a Windows Server 2003-based domain in native mode. Also, the Windows Server 2003 must have 128-Bit encryption (which comes as a default setting in Windows 2003).
- Configure the source domain to trust the target domain.
- Configure the target domain to trust the source domain.
- Add the Domain Admins global group from the source domain to the Administrators local group in the target domain.
- Add the Domain Admins global group from the target domain to the Administrators local group in the source domain.
- Create a new local group in the source domain called Source Domain$$$.
Note: There must be no members in this group.
- Enable auditing for the success and failure of user and group management on the source domain.
- Enable auditing for the success and failure of Audit account management on the target domain in the Default Domain Controllers policy.
- On the PDC in the source domain, add the TcpipClientSupport:REG_DWORD:0x1 value to the following registry key:
- Administrative shares must exist on the domain controller in the target domain on which you run ADMT, and on any computers on which an agent must be dispatched.
- You must log on to the computer on which you run ADMT with an account that has the following permissions:
- Domain Administrator rights in the target domain.
- A member of the Administrators group in the source domain.
- Administrator rights on each computer that you migrate.
- Administrator rights on each computer on which you translate security.
- You will have the appropriate rights when you log on to the PDC that is the FSMO role holder in the target domain with the Source Domain\Administrator account, assuming that the Source Domain\Domain Administrators group is a member of the Administrators group on each computer.
Download Active Directory Migration Tool v2.0 (4.7mb)
For more information about how to use ADMT to perform a migration, see ADMT Help. Start the Active Directory Migration Tool, click Help Topics on the Help menu, click the Contents tab, and then click Active Directory Migration Tool.